topic Re: Multiple Portals for Global protect -Configuration check-Inputs needed in General Topics

Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Tue, 29 Sep 2020 10:22:35 GMT

Hello ;

For one our Customer running PA 3200 Series in HA having GP License ( HIP checks)

Currently the GP Portal and Gateway have common Interface . The GP URL is vpn.connection.it ( sample name)

The requirement is that

Internal Users use the URL : internal.vpn.connection.it

External Users(Partners) use the URL : external.vpn.connection.it

The Users are part of different user groups .

So can we achive this using the same ( Single Public ) IP address or do we need two Public IP address

We can to use different HIP profiles for Internal and External users .

Do we need to create two different tunnel interface or loopbacks ? or two different gateways ?

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

Abdul-Fattah — Tue, 29 Sep 2020 10:53:12 GMT

Hi,

you can achive this with configuring an Internal Gateway and an external Gateway and one or two portal, the Internal Gateway is an interface on your internal Network, External Gateway accessed from Outside normally out from internet (Public-IP) - Tunnel interface required here.

for more information check these out

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-quick-configs/mixed-internal-and-external-gateway-configuration

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Tue, 29 Sep 2020 12:17:02 GMT

Hi @Abdul-Fattah

Thanks for your reply

We are already have an Internal gateway which is being used currently only by Internal users when they are in Corporate network

The goal is this exercise is when Users connect to the GP outside of the company network ( internet or at home)

All the Corporate Users should use the URL internal.vpn.X . Different HIP profile , different IP Pool . different zone and different rules

All the Non Corporae users should use the URL external.vpn.X . Different HIP profile , different IP Pool . different zone and different rules

So my Query is whether we need two Tunnel Interfaces( One for each external Gateway) and two Loop backs ( one for each Portal )

So do i have to create two external gateways using two different loopbacks

and in the Portal settings define difference Address( FQDN) ?

Also , do i need two Public IPs ? or 1 can solve the purpose

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

Abdul-Fattah — Tue, 29 Sep 2020 13:19:45 GMT

then what you need is 2 external gateways, two tunnels, two public Ips.

another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed .

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

aleksandar.astardzhiev — Tue, 29 Sep 2020 13:53:55 GMT

Hi @FWPalolearner ,

I suggestion is to always avoid multiple ip address on same interface like you would avoid a plague/covid. I cannot claim I have deploy lots of GPs, but I haven't yet saw a real need to configure multiple portals on single device, so I will try to avoid such setup as well.

As @Abdul-Fattah mentioned you can provide single portal and once the user authenticate you can have group/user base separation (have different ip pool, dns, access etc for each user group). This would be the easiest way to have complete separation between internal users and contractors/3rd-party. The problem with this approach is that both type of users will need to use same authentication type. You can use different domain for user authentication, but the the type (LDAP, RADIUS, etc) must be the same for both (if you use mfa over radius you can be creative, but it is up to the mfa and not the fw). And as you can imagine both type of users will use the same vpn address.

If you really want internal users to use one address and contractors/external user to use completely different address - the only way to achieve this is to have second portal/gateway. As mentioned I would avoid secondary IP, instead I would recommend to use loopback (configure loopback with public ip, put it in untrust/outsie zone and use it for the gp portal and gw).

The only benefit I can think of is that you can apply different authentication type for each user group, so it is interesting for me to understand the reason why you need separate addresses

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Tue, 29 Sep 2020 14:07:52 GMT

Hi @aleksandar.astardzhiev @Abdul-Fattah

Thanks for your inputs ; really appreciate

The Customer requirement is to use two different URLs . I understand that we use different user groups but user groups are already in place

thre requirement is to have different URL and Different Portal

So what i understood , we need below on PA cluster - can you please confirm :

1) two GP Gateways with two Loopbacks ? two GP portals - where in - for one we define the URL for external and for other the internal one

2) two tunnel interfaces , two loopbacks - with different IPs

3) two zones - one for Internal and one for external ?

I still have doubt, why cant we use the same Public IP as we can make both DNS entries to resolve to same IP

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

Abdul-Fattah — Tue, 29 Sep 2020 15:01:28 GMT

two domains resolving to same IP, for palo alto you are using only one IP. the Firewall does not care about Public-domains. as i mentioned earlier :

"another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed ."

and for portal you change nothing.

Good Luck.

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

aleksandar.astardzhiev — Tue, 29 Sep 2020 15:10:08 GMT

Hey @FWPalolearner ,

You can setup both DNS records to resolve to same IP, but:

- First you need to apply wildcard certificate on the portal or use certificate with SAN (subject alternative names)

- Even the users are pointed to different addresses they are still ended on the exact same portal, so they will be prompted with exact same authentication. This really annoys me with GP portal, there is no way to use multiple authentication realms and provide a way for the user to select/navigate to required auth realm.

So as long as you will use the same authentication type (LDAP, radius, etc) for all users (external and internal) you should be fine using two DNS records pointing to the same ip and having one portal. The important think here is the SSL certificate that will be used for the portal - either it must be wildcard (to match both urls) or it must list both in SAN (subject alternative names).

Your really don't need two gateways. You can use same gateways for both external and internal users, and using user group to apply different settings. The problem is again with the address, however during GP portal config you can specify different gateway addresses for each user group. So you can actually the exact same DNS records that you are using for the portal. And for the GP gateway you need to use the same SSL certificate (either wildcard or with SAN)

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

Abdul-Fattah — Tue, 29 Sep 2020 15:23:57 GMT

@aleksandar.astardzhiev

you can leverage "authentication-sequence" and select multiple authentication types/profiles (LDAP,Radius,Local..) and use it for Portals and Gatways.

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

aleksandar.astardzhiev — Tue, 29 Sep 2020 15:30:29 GMT

Hey @Abdul-Fattah ,

You are absolutely right... I forgot about the authentication sequence, thanks.

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Tue, 29 Sep 2020 19:30:44 GMT

Hi @aleksandar.astardzhiev @Abdul-Fattah

Can't thank you enough for your support and inputs.

I will share my change plan with you to have a final look in it please. I will share it quickly

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Wed, 30 Sep 2020 12:25:58 GMT

@aleksandar.astardzhiev @Abdul-Fattah

Below is what i am planning can you and provide your input

************************************

What we have now

the VPN URL we are using now is vpn.connect.it which resolves to the IP of Public Interface of the firewall

FW Public Interface : x.x.x.x

FW public zone : INTERNET

Loopback Interface : loopback.1 with an IP 192.168.75.1 bind to a zone called GP
Tunnel interface : tunnel.1 Bind to zone GP

Portal Config :

We have the Authentication sequence and a Wildcard in the SSL Service Profile for *.connect.it

We are using loopback.1 as the Interface . We are having the User groups defined in the Agent config

In the Agent config in the External Section , we have defined Host name vpn.connect.it

Gateway Config :

We are using the same loopback.1

same wildcard

In the agent we are using tunnel.1

and we have a Pool allocated for all the users defined in the user group

----------------------------------------------------------------------------------------
Now as we want separate Portal for Corp users and Partners , here is my plan

Create another DNS entrie for

partner.external.it

The Corp users will continue to use vpn.connect.it

both will resolve to x.x.x.x

Create a new Loopback loopback.2 with an IP 192.168.76.1 and bind to zone GP-EXT
Create a new Tunnel interface tunnel.2 and bind to zone GP-EXT

Portal Config :

Create a new Portal with loopback.2 and same auth sequence ;same wildcard
in the agent config in external section , define partner.external.it and in user groups only external AD users

Gateway Config

Use Loopback.2
same wildcard
In the agent , define tunnel.2 and separate pool for external users

Configure the required Firewall rules for new zone GP-EXT

The Point here is

currently

x.x.x.x is natted to 192.168.75.1

So how to NAT it to 192.168.76.1 for external users ??

Do i have to use another Public IP then

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

aleksandar.astardzhiev — Wed, 30 Sep 2020 18:20:33 GMT

Hey @FWPalolearner ,

From your explanation I don't believe you will need the second portal/gateway/loopback/tunnel.

1. Create new DNS record for external.connect.it to FW public x.x.x.x

2. Under the current portal create two "agent" configs based on user group, one for internal and one for partner users.

3. In first config set for external gateway "internal.connect.it", and for second agent config set "external.connect.it"

4. Under the current gateway create two client settings based on the two user groups (gateway -> agent -> client settings).

5. Under each client settings configure IP pool. Important note here is that you must not use Client IP Pool (gateway ->agent -> client ip pool). On this tab you define one single IP pool for all connected users, no matter which user group they are. To be able to configure different ip pool for each user group you must remove any config from client ip pool tab and put it under the client settings

And that should be enough. If you think for a moment only difference between the two "portals" is the FQDN that users are using, which really doesn't matter as long as you have a valid certificate to cover both addresses. Everything else should be standard user group based separation which you can accomplish with single portal and gateway.

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Wed, 30 Sep 2020 18:27:59 GMT

@aleksandar.astardzhiev Thanks a lot . This is now very much easy and you made it very clear

I just have last doubt still .

Can i create a second tunnel interface and bind it to a new zone

This way i will create two GP gateways with two different tunnel interfaces - one for Corp and other for External

The only point is this will provide more security because we will have different Zones and can use them specifically

Kindly let me know your feedback on this

Again Many many Thanks . you are a saviour 🙂

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

aleksandar.astardzhiev — Wed, 30 Sep 2020 18:45:24 GMT

Hey @FWPalolearner ,

If you want to have separate gateway you definitely must use different IP, because you cannot have more than one GP gateway (or portal) on same interface.

But I would suggest to think for a moment if you really gain any benefit separating users into zones:

1. You already separate users based on user groups and assign different IP pools. Even that both type of users (internal and partners) are coming from same zone you still can use source user group and source ip to granular control over the user access.

2. If you worry about restricting access between VPN users (partner user connected to vpn to reach internal vpn user), I am not 100% sure at the top of my head, but I believe you can simply configure explicit intrazone rule to control the traffic between users.

Again even that all users are associated with same zone you still have other methods to differentiate between them.

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Wed, 30 Sep 2020 19:05:50 GMT

@aleksandar.astardzhiev

My public interface is eth1/1

But I have created a loopback called loopback.1 with private ip 192.168.1.75

I am doing a nat to translate my public ip to this loopback ip address

I am currently using this loopback.1 in both gateway and portal

But I can still create a gateway with same loopback . However as loopback is/32 it does not give me option to choose ip address when creating the second gateway but it still accepts it as ip address is optional.

So I believe we can still create two gateways ?

Or you mean that second gateway without ip address is of no use ?

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

aleksandar.astardzhiev — Wed, 30 Sep 2020 19:24:54 GMT

Hey @FWPalolearner ,

I understand that you use loopback for GP portal and gateway and use NAT to translate the public to the loopback. I still don't understand why you do this way instead of use the eth1/1 in the GP portal and gateway on first place.

But let discuss the other point - "But I can still create a gateway with same loopback" even if you somehow manage to use same interface/ip on multiple gateway you should receive error during commit. Think about it - all comes done to sockets, creating GP gateway will create TCP socket which FW will listen for connections. Sockets consists of ip and port and you can have different services/application on different combination of ip and port. If you create second GP gateway you need to create second socket and since you cannot use different port (always using the standard port for SSL or IPSec) the only part you can change is the ip. Assigning same int and ip to both GP gateways will try to create two exactly the same sockets which will generate commit error.

And the same concept for the sockets apply for your NAT rules. I assume that you have NAT rule says "any public source to dest x.x.x, nat to any public source to dest 192.168.1.75". If you create second NAT rule similar to above, but with dest 192.168.1.76, the second nat will never hit (because the first math will be applied). Again you can play with ports as GP doesn't allow you change default ports, so the only way for the fw to apply the different nat rules is to use source ip address as matching criteria, but this defied the purpose of remote access vpn, because you will need to know from which public ip will the users connect.

Re: Multiple Portals for Global protect -Configuration check-Inputs needed

FWPalolearner — Wed, 30 Sep 2020 19:28:38 GMT

@aleksandar.astardzhiev thanks a lot .

Makes sense . I will make use of Ad groups and ip pool and keep it simple.

Thanks . Good learning for me

Glad we have people like you in the community to share the knowledge

@Abdul-Fattah thanks to you too .